Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help me to identify type of ransomware


  • Please log in to reply
15 replies to this topic

#1 spear

spear

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 July 2016 - 09:49 AM

It was scr file inside a zip file attached to a letter. I extracted it to the desktop.

After i executet it my computer start working very slow.

I tried to open the task manager(win 7) to see which process cause this overload, but this was impossible. After I press Ctrl+Alt+Del I see the task manager for a half second then it disappear. Tried many times, but the result was same.

Then I started Regedit and find in the startup folder the path to this scr file in my desktop. Removed it and restarted my computer. No problem at all, but later I find out that few hundreds files were encrypted.

The page ID Ransomware can't identify which ransomware I get, because I don't have the file that displays the ransom and payment information. I have only encrypted files.

All encrypted files keep same name and same extension. They are jpg, txt, doc, php, zip, rar, ...

Please give me advice how to identify this scr. 

I keep copy with the zip I received and inside is the ransomware scr file, if this help? 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 07 July 2016 - 10:12 AM

If ID Ransomware was unable to identify, you may post the Case SHA1 it gives you for me to manually inspect the files.

 

You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

There are chances it is the newest CryptXXX which does not change file extensions and uses a generic "README" filename, but we will have to see the files first; a ransom note would help with identification.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 spear

spear
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 07 July 2016 - 10:38 AM

Done! Just submitted one of the encrypted files. Thank you for your fast replay. 



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 07 July 2016 - 10:54 AM

Hmm... I'm actually seeing a bit of a pattern on part of the file.

 

Can you locate an encrypted file that you have a clean copy of for comparison? You could also provide a picture from the Sample Pictures, we can match with the same OS on another system.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 spear

spear
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 08 July 2016 - 01:07 AM

Yes I have backup of some photos and here is one of them:

http://barbun.com/ransom/

original.JPG - is the photo(clean) from my backup
encrypted.JPG - is the same photo, but encrypted by this ransomware

the_ransomware_infected_me.rar - this is the ransomware which need to be identified

 

If you need more clean files(photos) I can provide. 

Here is the result from virustotal: https://www.virustotal.com/bg/file/24b332e831b3466b0bc322886f5b429f3e5f1495411a3e5f59e1b6545eb70bfc/analysis/



#6 tpapple

tpapple

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 AM

Posted 08 July 2016 - 06:27 AM

microsoft decryptor!! CRYPTXXX yep



#7 spear

spear
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 09 July 2016 - 12:45 AM

I just read a lot for CRYPTXXX and think that you are wrong. All my modified files have different size compared to the original. The CRYPTXXX encrypted files have same size as the original.



#8 thyrex

thyrex

  • Members
  • 582 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:13 AM

Posted 09 July 2016 - 01:57 AM

Ransom message below 

 

ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
In order to get access to your files again, follow the instructions at:
 
 
If all of those sites are unreachable, please send one of those links to jeiphoos@sigaint.org in order to get a new one.'
 
 
ACHTUNG!
Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt.'
Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf:
 
Falls keine der Seiten erreichbar sein sollte, senden Sie bitte einen der Links an jeiphoos@sigaint.org um einen neuen zu erhalten.
 

 

 


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#9 thyrex

thyrex

  • Members
  • 582 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Belarus
  • Local time:01:13 AM

Posted 09 July 2016 - 02:57 AM

File types for encrypting

0; -0; 000; 001; 002; 003; 004; 005; 006; 007; 008; 009; 1; -1; 10; -10; 11; -11; 12; -12; 13; -13; 14; -14; 15; -15; 16; -16; 17; -17; 18; -18;
19; -19; 1pa; 2; -2; 2fs; 3; -3; 3dm; 3ds; 3g2; 3gp; 4; -4; 5; -5; 6; -6; 7; -7; 7z; 8; -8; 9; -9; aac; aaf; abbu; abw; accdb; adr; aep; aepx; aet;
ahk; ai; aif; alt; ape; apk; arc; arv; arw; as; as3; asc; asf; ashdisc; asm; asmx; asp; aspx; asx; aup; avi; ba0; backup; bak; bas; bbb; bc;
bc!; bcmx; bdb; bde; bdf; bdg; bdi; bdk; bdl; bdm; bdmv; bdsproj; bdw; bdx; bee; ben; bes; bex; bexpk; bf; bf2; bfa; bfb; bfe; bff; bgz; bhx;
bib; bibtex; bik; bina; bkf; bkp; bks; bkup; bmp; boe; bpl; bpn; bson; btd; bz2; c; c++; cad; cadp; caf; cal; cbu; cc; cda; cdf; cdi; cdr; cdt;
cdx; cer; cert; cfc; cfg; cfm; cgi; cgn; chk; chr; class; clk; cmx; cnt; cod; conf; cpio; cpp; cpt; cpx; cr2; crd; crt; crw; crypt7; cs;
csh; csl; csproj; csr; csv; cue; d64; data; db3; dbf; dbt; dbx; dcp; dcr; dds; ddz; del; dem; des; deviceids; df; dfd; dfproj; dia; dif; diff;
dir; diz; dlc; dmg; doc; docb; docm; docx; dot; dotm; dotx; dqy; drw; ds4; dsb; dsf; dsn; dta; dtr; dtv; dwg; dxf; ebk; eddx; edoc; efx;
elfo; emf; eml; emlx; enc; eps; epub; es; es~; ex4; exp; ezm; fdb; fdf; ff1; ffa; ffl; ffo; ffs_db; fft; ffu; ffx; fh10; fh11; fi2; fig; fil;
fim; fla; flac; flg; flp; flv; fmd; fmv; fpt; fpx; ftp; fx0; fx1; fxr; gam; gar; gbc; gcode; gem; gho; ghs; gid; gif; gla; gpg; gpx; gz; h; h++;
hdd; hds; hex; hpp; hst; htc; hwp; hwp ; ico; ics; idml; idx; if; iff; iif; imb; img; imh; iml; imm; in0; indb; indd; indl; indt; ini2;
int; inx; ipd; iso; isz; iwa; j2k; jad; jar; java; jdb; jks; jmf; jp2; jpeg; jpf; jpg; jpm; jpx; json; jsp; jspa; jspx; jst; k1f; kb1; kcf;
kch;kcl;kdb;kdbx;key;keynote;kml;kmz;knt;kpr;lbl;ld;ldif; lgb; lib; lic; lis; lpd; ls; ltx; lwp; lyc; lyt; lzma; m3u; m3u8; m4a;
m4u; m4v; mab; mac; mail; mailhost; mar; max; mb; mbox; mbs; mcs; md2; mdb; mdbackup; mddata; mde; mdf; mdi; mdinfo; mds; mdw; mdx; met;
mht; mhtml; mid; mke; mlm; mmf; mnu; mobileprovision; mod; mon; mov; mozeml; mp3; mp4; mpa; mpb; mpeg; mpg; mpj; mpp; mq4; mqh; mrw; ms
msf; msg; mso; mswmm; mta; mts; mus; mx0; myd; myf; myi; nam; nap; nba; nbf; nbi; nbu; nbz; nco; nd; nef; nes; net; new; nfo; nick; nng; note;
nr; nrg; nri; nru; ns; nws; nzb; oa4; oac; odb; odc; odg; odp; ods; odt; ogg; old; one; onepkg; ops; opt; or4; orf; org; otm; ott; ova; ovf;
ovpn; oxps; p; p12; p2i; p65; p7; pages; pat; patch; pbi; pbx; pcd; pct; pcx; pdf; pdfx; pehape; pem; pfb; pfq; pfx; pgp; php; php3; php4; php5;
phps; phpx; phpxx; phtm; phtml; pic; pid; pins; pip; pk; pl; plb; plist; plt; pm1; pmd; pmk; pmm; pmx; pnf; png; pot; potm; potx; pp4;
pp5; ppa; ppam; ppdf; ppf; ppj; pps; ppsm; ppsx; ppt; pptm; pptx; pref; prn; prproj; prt; ps; ps1; psd; psp; pspimage; pst; ptb; ptn; ptn2;
ptx; pub; pvm; pwd; pwi; px; py; pym; qba; qbb; qbi; qbm; qbo; qbp; qbquery; qbr; qbw; qbx; qby; qcn; qcow; qcow2; qpd; qsm; qss; qst; qt; qwc;
qxp; r0; ra; raf; rar; raw; rb; rdp; recipients; recipientsbackup0; recipientsbackup1; recipientsbackup2; recipientsbackup3;
recipientsbackup4; recipientsbackup5; recipientsbackup6; recipientsbackup7; recipientsbackup8; recipientsbackup9; repl;
rif; riff; rm; rpb; rpmsg; rtf; rtp; rw2; s; sam; sav; sb; sbf; schd; sct; scv; sda; sdc; sdf; sdi; sds; sdx; sdy; secure; seed; sel; seq; ses;
set; sfs; sfv; shlb; shs; shw; skb; skd; skp; sldm; sldx; slf; slk; sln; slt; sme; smk; smm; smp; smr; sms; spb; spi; spro; sql; sqlite; sqlitedb;
srp; srt; srv; ssc; ssi; sss; stf; stg; stl; stw; sub; suo; svg; swf; sxw; symbolmap; syncdb; tag; tar; tav; tb3; tc; tdl; tex; tga;
thm; thmx; tib; tif; tiff; tlg; tlx; toast; torrent; tpl; ts; tv; tvc; txt; ucd; ufo; user; v30; val; vbk; vcard; vcd; vcf; vcs; vcxproj;
vdi; vfs4; vhd; vhdx; vir; vmc; vmdk; vmx; vob; vrge08contact; vsd; vsv; wab; wallet; war; wav; wbk; wbverify; wc; wdseml; webarchive;
webm; whtt; wi; wim; win; wk3; wk4; wlt; wma; wmb; wmf; wmv; workflow; wpb; wpd; wpg; wpl; wps; wsb; xcf; xdw; xed; xg0; xg1; xg2; xla; xlam;
xlg; xlk; xll; xlm; xlr; xls; xlsb; xlsm; xlsx; xlt; xltm; xltx; xlw; xoml; xpm; xps; xqx; xsn; xz; yg0; yg1; yg2; yuv; z; zip; zipx;

 

 


Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:13 PM

Posted 09 July 2016 - 06:34 AM

I just read a lot for CRYPTXXX and think that you are wrong. All my modified files have different size compared to the original. The CRYPTXXX encrypted files have same size as the original.

Did you submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.
2016-07-01_0936.png
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 spear

spear
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 10 July 2016 - 12:54 PM

Did you submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

I don't have ransom notes, please see above why I don't have.

Where to post SHA1 case and what is this?


Edited by spear, 10 July 2016 - 12:54 PM.


#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 10 July 2016 - 12:57 PM

That is a screenshot from ID Ransomware - if it cannot identify, then you can post the case SHA1 it gives here so I can retrieve your case - it is a mechanism to maintain anonymity and so only I can view the files.

I have updated a definition on IDR for the newest CryptXXX; could you upload a few different encrypted files to ID Ransomware (link in my signature) and see if it picks up on it?

Edited by Demonslay335, 10 July 2016 - 12:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 spear

spear
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 10 July 2016 - 11:57 PM

Ok done, just uploaded 3 files here are the sha of each one:

SHA1: c6b65f5ad01c690876b823e154b442d86475204d

SHA1: 10dda62b864d6cf5d9c5c51ce31b3ae5571965d3

SHA1: 0d74a76b0a9af3861903fac0134ef6d82ff6d830



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 11 July 2016 - 11:26 AM

I'm afraid I cannot identify what ransomware did this. The latest CryptXXX does append bytes to the file, so the filesize difference isn't a case against that. I've recently found a certain hex pattern that has successfully identified victims so far, but this pattern is not in any of the files you have provided, and they are all different. I can only surmise it could be an AES or RSA encryption based on the entropy of the bytes, but that hardly narrows it down to any particular ransomware (majority use one of these two).

 

Without a ransom note, I believe the only way now is to check out the malware itself, which you said you still have as a ".scr" file correct? You may submit it here, and we'll just have to sandbox it or pick it apart to see what it is: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:13 PM

Posted 11 July 2016 - 07:00 PM

Thanks, I've received the malware you submitted.

 

I believe you are dealing with RaaS. The malware dropped a ransom note on VirusTotal that is a known ransom note pattern for RaaS.

 

https://www.virustotal.com/en/file/bdc140ce86f2d140c4d832c0d8fa5fe4d2652096c22c4075f74815841e0cc2ec/analysis/1468240758/

.\readme_liesmich_encryptor_raas_45a04d360fb01867ab6afe7b953c8f83d655e50a.txt

I will grab the ransom note contents to confirm later.

 

More information on Encryptor RaaS.

 

Edit:

 

Here's the contents of the ransom note. Definitely Encryptor RaaS; I'm afraid there is no way of decrypting files at this time. You can only restore from backups, or backup the encrypted files and hope for the future if you are not planning on paying the ransom.

 

 

 

ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
In order to get access to your files again, follow the instructions at:
http://ub5eirrbs34corvj.onion.link/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.onion.cab/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.onion.to/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.tor2web.org/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0

If all of those sites are unreachable, please send one of those links to jeiphoos@sigaint.org in order to get a new one.


ACHTUNG!
Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt.
Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf:
http://ub5eirrbs34corvj.onion.link/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.onion.cab/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.onion.to/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0
https://ub5eirrbs34corvj.tor2web.org/vict?cust=45a04d360fb01867ab6afe7b953c8f83d655e50a&guid=a08e6f04-c1c7-48a8-8bfc-ac7a86a7ff29&ever=2016-07-03_1&wver=0601b01d4336&fc=0

Falls keine der Seiten erreichbar sein sollte, senden Sie bitte einen der Links an jeiphoos@sigaint.org um einen neuen zu erhalten.

Edited by Demonslay335, 11 July 2016 - 08:08 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users